draft-ietf-hip-cert-07.txt   draft-ietf-hip-cert-08.txt 
Host Identity Protocol Heer Host Identity Protocol Heer
Internet-Draft Distributed Systems Group, RWTH Internet-Draft Distributed Systems Group, RWTH
Intended status: Experimental Aachen University Intended status: Experimental Aachen University
Expires: July 16, 2011 Varjonen Expires: July 22, 2011 Varjonen
Helsinki Institute for Information Helsinki Institute for Information
Technology Technology
January 12, 2011 January 18, 2011
Host Identity Protocol Certificates Host Identity Protocol Certificates
draft-ietf-hip-cert-07 draft-ietf-hip-cert-08
Abstract Abstract
The CERT parameter is a container for X.509.v3 certificates and The CERT parameter is a container for X.509.v3 certificates and
Simple Public Key Infrastructure (SPKI) certificates. It is used for Simple Public Key Infrastructure (SPKI) certificates. It is used for
carrying these certificates in Host Identity Protocol (HIP) control carrying these certificates in Host Identity Protocol (HIP) control
packets. This document specifies the certificate parameter and the packets. This document specifies the certificate parameter and the
error signaling in case of a failed verification. Additionally, this error signaling in case of a failed verification. Additionally, this
document specifies the representations of Host Identity Tags in document specifies the representations of Host Identity Tags in
X.509.v3 and SPKI certificates. X.509.v3 and SPKI certificates.
skipping to change at page 2, line 9 skipping to change at page 2, line 9
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 16, 2011. This Internet-Draft will expire on July 22, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 4, line 43 skipping to change at page 4, line 43
| SPKI | 2 | | SPKI | 2 |
| Hash and URL of X.509.v3 | 3 | | Hash and URL of X.509.v3 | 3 |
| Hash and URL of SPKI | 4 | | Hash and URL of SPKI | 4 |
| LDAP URL of X.509.v3 | 5 | | LDAP URL of X.509.v3 | 5 |
| LDAP URL of SPKI | 6 | | LDAP URL of SPKI | 6 |
| Distinguished Name of X.509.v3 | 7 | | Distinguished Name of X.509.v3 | 7 |
| Distinguished Name of SPKI | 8 | | Distinguished Name of SPKI | 8 |
+--------------------------------+-------------+ +--------------------------------+-------------+
The next sections outline the use of HITs in X.509.v3 and in SPKI The next sections outline the use of HITs in X.509.v3 and in SPKI
certificates. X.509.v3 certificates are defined in [RFC3280]. The certificates. X.509.v3 certificates are defined in [RFC5280]. The
wire format for X.509.v3 is Distinguished Encoding Rules format as wire format for X.509.v3 is Distinguished Encoding Rules format as
defined in [X.690]. The SPKI and its formats are defined in defined in [X.690]. The SPKI and its formats are defined in
[RFC2693]. [RFC2693].
Hash and URL encodings (3 and 4) are used as defined in [RFC4306] Hash and URL encodings (3 and 4) are used as defined in [RFC5996]
Section 3.6. Using hash and URL encodings results in smaller HIP Section 3.6. Using hash and URL encodings results in smaller HIP
control packets, but requires the receiver to resolve the URL or control packets, but requires the receiver to resolve the URL or
check a local cache against the hash. check a local cache against the hash.
LDAP URL encodings (5 and 6) are used as defined in [RFC2255]. Using LDAP URL encodings (5 and 6) are used as defined in [RFC4516]. Using
LDAP URL encoding results in smaller HIP control packets but requires LDAP URL encoding results in smaller HIP control packets but requires
the receiver to retrieve the certificate or check a local cache the receiver to retrieve the certificate or check a local cache
against the URL. against the URL.
Distinguished name (DN) encodings (7 and 8) are used as defined in Distinguished name (DN) encodings (7 and 8) are used as defined in
[RFC1779]. Using the DN encoding results in smaller HIP control [RFC4514]. Using the DN encoding results in smaller HIP control
packets, but requires the receiver to retrieve the certificate or packets, but requires the receiver to retrieve the certificate or
check a local cache against the DN. check a local cache against the DN.
3. X.509.v3 Certificate Object and Host Identities 3. X.509.v3 Certificate Object and Host Identities
When using X.509.v3 certificates to transmit information related to When using X.509.v3 certificates to transmit information related to
HIP hosts, HITs MAY be enclosed within the certificates. HITs can HIP hosts, HITs MAY be enclosed within the certificates. HITs can
represent an issuer, a subject, or both. In X.509.v3 HITs are represent an issuer, a subject, or both. In X.509.v3 HITs are
represented as issuer or subject alternative name extensions as represented as issuer or subject alternative name extensions as
defined in [RFC2459]. If only the HIT of the host is presented as defined in [RFC5280]. If only the HIT of the host is presented as
either the issuer or the subject the respective HIT MUST be placed either the issuer or the subject the respective HIT MUST be placed
into the respective entity's DN's Common Name (CN) section in a colon into the respective entity's DN's Common Name (CN) section in a colon
delimited presentation format defined in [RFC5952]. Inclusion of CN delimited presentation format defined in [RFC5952]. Inclusion of CN
is not necessary if DN contains any other naming information. It is is not necessary if DN contains any other naming information. It is
RECOMMENDED to use the FQDN/NAI from the hosts HOST_ID parameter in RECOMMENDED to use the FQDN/NAI from the hosts HOST_ID parameter in
the DN if one exists. The full HIs are presented in the public key the DN if one exists. The full HIs are presented in the public key
entries of X.509.v3 certificates. entries of X.509.v3 certificates.
The following examples illustrate how HITs are presented as issuer The following examples illustrate how HITs are presented as issuer
and subject in the DN and in the X.509.v3 extension alternative and subject in the DN and in the X.509.v3 extension alternative
skipping to change at page 7, line 26 skipping to change at page 7, line 26
follows: follows:
Format: (hash hit hit-of-host) Format: (hash hit hit-of-host)
Example: (hash hit 2001:13:724d:f3c0:6ff0:33c2:15d8:5f50) Example: (hash hit 2001:13:724d:f3c0:6ff0:33c2:15d8:5f50)
Appendix A shows a full example SPKI certificate with HIP content. Appendix A shows a full example SPKI certificate with HIP content.
5. Revocation of Certificates 5. Revocation of Certificates
Revocation of X.509.v3 certificates is handled as defined in Section Revocation of X.509.v3 certificates is handled as defined in Section
5 of [RFC2459]. Revocation of SPKI certificates is handled as 5 of [RFC5280]. Revocation of SPKI certificates is handled as
defined in Section 5 of [RFC2693]. defined in Section 5 of [RFC2693].
6. Error signaling 6. Error signaling
If the Initiator does not send the certificate that the Responder If the Initiator does not send the certificate that the Responder
requires the Responder may take actions (e.g. reject the connection). requires the Responder may take actions (e.g. reject the connection).
The Responder MAY signal this to the Initiator by sending a HIP The Responder MAY signal this to the Initiator by sending a HIP
NOTIFY message with NOTIFICATION parameter error type NOTIFY message with NOTIFICATION parameter error type
CREDENTIALS_NEEDED. CREDENTIALS_NEEDED.
skipping to change at page 9, line 9 skipping to change at page 9, line 9
9. Acknowledgements 9. Acknowledgements
The authors would like to thank A. Keranen, D. Mattes, M. Komu and T. The authors would like to thank A. Keranen, D. Mattes, M. Komu and T.
Henderson for the fruitful conversations on the subject. D. Mattes Henderson for the fruitful conversations on the subject. D. Mattes
most notably contributed the non-HIP aware use case in Section 3. most notably contributed the non-HIP aware use case in Section 3.
10. References 10. References
10.1. Normative References 10.1. Normative References
[RFC1779] Kille, S., "A String Representation of Distinguished
Names", RFC 1779, March 1995.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2255] Howes, T. and M. Smith, "The LDAP URL Format", RFC 2255,
December 1997.
[RFC2459] Housley, R., Ford, W., Polk, T., and D. Solo, "Internet
X.509 Public Key Infrastructure Certificate and CRL
Profile", RFC 2459, January 1999.
[RFC2693] Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, [RFC2693] Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas,
B., and T. Ylonen, "SPKI Certificate Theory", RFC 2693, B., and T. Ylonen, "SPKI Certificate Theory", RFC 2693,
September 1999. September 1999.
[RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet [RFC4514] Zeilenga, K., "Lightweight Directory Access Protocol
X.509 Public Key Infrastructure Certificate and (LDAP): String Representation of Distinguished Names",
Certificate Revocation List (CRL) Profile", RFC 3280, RFC 4514, June 2006.
April 2002.
[RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", [RFC4516] Smith, M. and T. Howes, "Lightweight Directory Access
RFC 4306, December 2005. Protocol (LDAP): Uniform Resource Locator", RFC 4516,
June 2006.
[RFC5201] Moskowitz, R., Nikander, P., Jokela, P., and T. Henderson, [RFC5201] Moskowitz, R., Nikander, P., Jokela, P., and T. Henderson,
"Host Identity Protocol", RFC 5201, April 2008. "Host Identity Protocol", RFC 5201, April 2008.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008.
[RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6
Address Text Representation", RFC 5952, August 2010. Address Text Representation", RFC 5952, August 2010.
[RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
"Internet Key Exchange Protocol Version 2 (IKEv2)",
RFC 5996, September 2010.
10.2. Informative References 10.2. Informative References
[X.690] ITU-T, "Recommendation X.690 Information Technology - [X.690] ITU-T, "Recommendation X.690 Information Technology -
ASN.1 encoding rules: Specification of Basic Encoding ASN.1 encoding rules: Specification of Basic Encoding
Rules (BER), Canonical Encoding Rules (CER) and Rules (BER), Canonical Encoding Rules (CER) and
Distinguished Encoding Rules (DER)", July 2002, <http:// Distinguished Encoding Rules (DER)", July 2002, <http://
www.itu.int/ITU-T/studygroups/com17/languages/ www.itu.int/ITU-T/studygroups/com17/languages/
X.690-0207.pdf>. X.690-0207.pdf>.
Appendix A. SPKI certificate example Appendix A. SPKI certificate example
skipping to change at page 13, line 22 skipping to change at page 13, line 22
Changes from version 06 to 07: Changes from version 06 to 07:
o Editorial changes. o Editorial changes.
o Removed a the second paragraph in section 8. o Removed a the second paragraph in section 8.
o Changed the example in Appendix A (Cert created without the o Changed the example in Appendix A (Cert created without the
leading zeroes in HITs). leading zeroes in HITs).
Changes from version 07 to 08:
o Updated and checked the references.
Authors' Addresses Authors' Addresses
Tobias Heer Tobias Heer
Distributed Systems Group, RWTH Aachen University Distributed Systems Group, RWTH Aachen University
Ahornstrasse 55 Ahornstrasse 55
Aachen Aachen
Germany Germany
Phone: +49 241 80 214 36 Phone: +49 241 80 214 36
Email: heer@cs.rwth-aachen.de Email: heer@cs.rwth-aachen.de
 End of changes. 17 change blocks. 
26 lines changed or deleted 29 lines changed or added

This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/